r21880: pkinit and k5-int.h

Sam Hartman hartmans at painless-security.com
Fri Mar 20 16:47:38 EDT 2009

r21879 introduced configuration macros into the pkinit sources for
krb5.conf values that are used by pkinit.

I think the general concept is fine, as discussed on jabber.  However
the definitions for these macros cannot live in the k5-int.h for the
pkinit case.

One of the goals of the pkinit plugin was to try and minimize internal
dependencies and to use public interfaces where possible.  We made an
explicit decision that there was no good way to get pkinit ASN.1
encoders and decoders using public interfaces, so k5-int-pkinit.h was

Rather than including k5-int.h in pkinit, the pkinit related
configuration macros should be moved into a pkinit-specific header
file.  Probably a header in the pkinit sources would be better than
k5-int-pkinit.h, but k5-int-pkinit.h would be better than k5-int.h.

Reasons for doing this:

1) Consistency with explicit past decisions.
2) Eating our own dog food and trying as hard as we can to design pre-auth plugins the way we want others to do so so we can evaluate whether our interfaces are good enough
3) Establishing a modularity boundary; other parts of the code should not be looking at pkinit configuration parameters.

More information about the krbdev mailing list